General Information & Benefits

Single Sign-On (SSO) is a method for authenticating and authorizing employees to log in to your Kotis program using your company's existing identity provider. Without SSO, each person must be individually added as a user, sent an invitation email, and create their unique password to log in and access your Kotis program and/or portals. SSO replaces the need for individuals to create new accounts exclusive to Kotis's system by allowing them to log in to Kotis using their existing company credentials.

Benefits of SSO include:

• Replaces Passwords - users do not have to generate and remember another password unique to Kotis; they use their existing company credentials to log into your Kotis program.
• Easy User Setup - SSO allows users to use your Kotis program more quickly by utilizing their existing company account instead of following the steps to set up a separate Kotis account.
• Secure Access Removal - once a user's company login is deactivated, they cannot log in to your Kotis program.

Setup

We currently support SSO for the following identity providers:

• Google Workspace
• Azure Active Directory
• Okta
• SAML

Standard Process

1. Tell your Kotis team which identity provider your company uses.
2. Your Kotis team will provide you with setup instructions specific to your identity provider that your IT team will follow to establish the connection.
3. Your IT team will need to send Kotis your private key using a secure method. Examples of programs that allow you to share information securely are 1Password, Google Drive, OneDrive, etc. This step is included in the setup instructions.
4. Once Kotis receives your key, we will enable your SSO connection. Turnaround time to enablement can be as fast as same-day or up to a few days. Once SSO is enabled, all users must log in via SSO immediately. We do not have a testing process at this time.

If you are using SAML, a few extra steps in addition to the four above are outlined in the documentation your Kotis team will provide in step 2.

FAQ

What is the difference between authentication and authorization, and who is responsible for what when using SSO?

Authentication is the process of verifying that the person logging in is who they say they are. Standard authentication methods include entering a password, clicking a link in an invitation email, or entering a code from an authentication app. Under SSO, your company is responsible for user authentication for your Kotis program using your identity provider.

Authorization is the process of granting authenticated users access to specific systems or applications. Kotis authorizes users by assigning them different levels of access to our system. Even using SSO, we can designate users as portal users, portal admins, or program admins. If you have a layer of authorization within your identity provider, that acts in addition to the Kotis authorization rather than replacing it.

Can we set up SSO only for specific portals? Or can we set it up for our program admins but not for internal portal users?

No—SSO is a blanket authentication method for our entire platform and cannot be applied to only some areas of our system. This includes all portals, all program pages, and MyKotis.

Can I still choose which users can access specific portals? Or vice versa, can I grant all SSO users access to a particular portal?

Yes. For the former scenario, we would add individual users to the portals they should be able to access. For the latter, we have a setting to allow all SSO users to view the portal.

I have an issue establishing the connection or a question not covered above.

Please get in touch with your Kotis team for any troubleshooting help or additional information you might need.